The branch, master has been updated
via 2cae470f236 winbindd: find_auth_domain() and
find_lookup_domain_from_name() should handle namespaces
via 800048c1319 winbindd: add find_routing_from_namespace_noinit()
via 2fdb34c5080 winbindd: remember ForestTrustInformation in
routing_domain->fti
via 87bb258a3f9 s3:passdb: add pdb_filter_hints()
via 5f672b125f4 s4:rpc_server/lsa: let dcesrv_lsa_lookup_name_account()
handle uPNSuffixes
via 72d377c0f3b libcli/lsarpc: add
trust_forest_info_match_tln_namespace()
via c5d2659688f libcli/auth: let
NTLMv2_RESPONSE_verify_netlogon_creds() check RODC callers check computer_name
via b2e5de0e8c3 s4:rpc_server/netlogon: let
dcesrv_netr_NTLMv2_RESPONSE_verify do RODC checking
via 8bbea061409 libcli/auth: let
NTLMv2_RESPONSE_verify_netlogon_creds() return the computer_name
via 29b07aff09d libcli/auth: add NTLMv2_RESPONSE_verify_trust() checking
via dc7ac4d0a55 s3:rpc_server/netlogon: let
_netr_NTLMv2_RESPONSE_verify() generate trust_forest_domain_info array
via 442b961b7b4 s4:rpc_server/netlogon: let
dcesrv_netr_NTLMv2_RESPONSE_verify generate trust_forest_domain_info array
via 97e256566ff libcli/auth: pass trust_forest_domain_info array to
NTLMv2_RESPONSE_verify_netlogon_creds
via ddf0434c962 s3:rpc_server/netlogon: split out
_netr_NTLMv2_RESPONSE_verify()
via daa816af23d s4:rpc_server/netlogon: split out
dcesrv_netr_NTLMv2_RESPONSE_verify()
via 1e09a2846f5 libcli/auth: split out
NTLMv2_RESPONSE_verify_workstation()
via 36dddad8c60 docs-xml/smbdotconf: add ft_scanner to 'server service'
via f5b112b4366 s4:dsdb: add forest trust scanner service
via af0b9122154 s3:tldap: add tldap_msg_rc() helper
via 69f528a9cea winbindd: make use of
lsaR[G|S]etForestTrustInformation2 to allow SCANNER_INFO
via 2db3185fb75 s4:rpc_server/lsa: add
lsaR[G|S]etForestTrustInformation2 support to allow FOREST_TRUST_SCANNER_INFO
via fba41093e9f s4:dsdb/common: let dsdb_trust_merge_forest_info()
handle SCANNER and BINARY records
via 02b4fdd41dc s4:dsdb/common: let
dsdb_trust_normalize_forest_info_step2() handle SCANNER and BINARY records
via ce3635832d8 s4:dsdb/common: let
dsdb_trust_normalize_forest_info_step1() handle BINARY and SCANNER records
via 54b8c0dd5b9 s4:dsdb/common: let dsdb_trust_forest_info_add_record()
handle BINARY and SCANNER records
via 34b47c9c22c libcli/lsarpc: let trust_forest_info_from_lsa2() handle
BINARY and SCANNER records
via 60943b52f23 libcli/lsarpc: add trust_forest_info_lsa_2to2()
via ce5e3777979 libcli/lsarpc: let
trust_forest_{record_lsa_2to1,info_to_lsa}() handle SCANNER_INFO
via 63045ddc4a5 libcli/lsarpc: let
trust_forest_{record_lsa_1to2,info_from_lsa}() handle BINARY and SCANNER records
via 6fdb76667d4 libcli/lsarpc: let trust_forest_record_to_lsa() handle
BINARY and SCANNER records
via 57352cf7697 libcli/lsarpc: let trust_forest_record_from_lsa()
handle BINARY and SCANNER records
via c0f025c87cb s4:dsdb/util_trusts: convert most functions from
lsa_ForestTrustInformation to lsa_ForestTrustInformation2
via 8dc11c71b4d libcli/lsarpc: add trust_forest_info_lsa_{1to2,2to1}()
via c903d4699cc libcli/lsarpc: add trust_forest_info_{from,to}_lsa2()
via 1b03e4f541f s4:rpc_server/lsa: split out dcesrv_lsa_SetFTI()
via 1a7adef42af s4:rpc_server/lsa: split out dcesrv_lsa_QueryFTI()
via 90436ac0894 libcli/lsarpc: change trust_forest_record_to_lsa to
lsa_ForestTrustRecord2
via c91cba2fce6 libcli/lsarpc: change trust_forest_record_from_lsa to
lsa_ForestTrustRecord2
via 745303e6718 libcli/lsarpc: don't allocate in
trust_forest_record_to_lsa()
via 9cf4731afba libcli/lsarpc: change logic in
trust_forest_record_to_lsa() to avoid default:
via 380478772dd libcli/lsarpc: split out trust_forest_record_from_lsa
via ddf2fe42443 s4:rpc_server/lsa: always add msDS-TrustForestTrustInfo
if FOREST_TRANSITIVE is set
via b4e97c08bc0 s4:rpc_server/lsa: add allocation checks to
fill_trust_domain_ex()
via 04a496cd220 s4:dsdb/common: add dsdb_trust_default_forest_info()
via 6c135ef7844 dsdb:util_trusts: replace
dsdb_trust_find_tln[_ex]_match() with trust_forest_info_tln[_ex]_match()
via 6f6aa8d6613 libcli/lsarpc: add trust_forest_info_tln[_ex]_match()
via a8a933ab5e6 libcli/lsarpc: fix talloc hierarchy in
trust_forest_info_from_lsa()
via 126a3a26a67 libcli/lsarpc: fix talloc hierarchy in
trust_forest_record_to_lsa()
via b2fc827b64b dsdb:util_trusts: remove unused
dsdb_trust_forest_info_{from,to}_lsa()
via 128f64471d4 dsdb:util_trusts: make use of trust_forest_info_to_lsa()
via 23cc5113abb s4:rpc_server/lsa: make use of
trust_forest_info_{from,to}_lsa()
via 2bf1e671684 libcli/lsarpc: add trust_forest_info_{from,to}_lsa()
via 7b304524a3b libcli/lsarpc: add missing forward declarations for
lsa_TrustDomainInfo{AuthInfo,Buffer}
via 38f08fbbbdf libcli/security: add dom_sid_match_prefix() helper
from 38e5b3d6a24 winbind:varlink: Always reply with the requested
username
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2cae470f236a429862a274de28ce60e8bfecf27e
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 04:29:07 2018 +0200
winbindd: find_auth_domain() and find_lookup_domain_from_name() should
handle namespaces
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Sat Feb 22 17:03:27 UTC 2025 on atb-devel-224
commit 800048c131951b083a17ed2b3419a2c28ac94737
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu May 17 10:37:34 2018 +0200
winbindd: add find_routing_from_namespace_noinit()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2fdb34c5080f28f8f25a5830af150095124c7714
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 2 04:09:46 2018 +0100
winbindd: remember ForestTrustInformation in routing_domain->fti
This will be used for sid/name filtering in the following commits.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 87bb258a3f954bbdea6826fa37c226a763d69793
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 2 09:43:02 2018 +0100
s3:passdb: add pdb_filter_hints()
This reveals information about our own domain/forest.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 5f672b125f4bda2410ecc1e1a2a84913f0e5fa74
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 05:24:03 2018 +0200
s4:rpc_server/lsa: let dcesrv_lsa_lookup_name_account() handle uPNSuffixes
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 72d377c0f3bd63398bff1a063ffbcbefd16c111a
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu May 17 10:37:34 2018 +0200
libcli/lsarpc: add trust_forest_info_match_tln_namespace()
This will be used by the namespace filtering part of
sid filtering...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit c5d2659688f3c017cf4d63eb2217a2098cffd6a3
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 23:22:45 2025 +0100
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() check RODC callers
check computer_name
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit b2e5de0e8c3a2c4136815d378d0164afca9f5754
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 20:56:31 2025 +0100
s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify do RODC
checking
This implements MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 8bbea061409cd36352f10125a318955c11e48d69
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 22:57:20 2025 +0100
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the
computer_name
This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server
cachability validation.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 29b07aff09d8a6e592414134873bef3178d4c1e0
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 21:54:46 2025 +0100
libcli/auth: add NTLMv2_RESPONSE_verify_trust() checking
This implements MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit dc7ac4d0a5595797b95905c098fdac2d42dbdc84
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 20:57:07 2025 +0100
s3:rpc_server/netlogon: let _netr_NTLMv2_RESPONSE_verify() generate
trust_forest_domain_info array
MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 442b961b7b457889400a84ca9fd082998eb0a178
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 20:03:56 2025 +0100
s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify generate
trust_forest_domain_info array
MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 97e256566ffe42fc1bb62623b658247b5d899bde
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 20:02:30 2025 +0100
libcli/auth: pass trust_forest_domain_info array to
NTLMv2_RESPONSE_verify_netlogon_creds
This will be used in the next commits in order to
implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ddf0434c9625969b051b594ce2d3dce43a74dd91
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 17:37:45 2025 +0100
s3:rpc_server/netlogon: split out _netr_NTLMv2_RESPONSE_verify()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit daa816af23dfef7a396e54226b837a89388bbc46
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Feb 14 17:33:31 2025 +0100
s4:rpc_server/netlogon: split out dcesrv_netr_NTLMv2_RESPONSE_verify()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 1e09a2846f555e98a6f534225cc4acb90c3d6c6c
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 13 18:19:42 2025 +0100
libcli/auth: split out NTLMv2_RESPONSE_verify_workstation()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 36dddad8c60e041ae4a940b59ea8afdee32136bb
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 13:42:15 2025 +0100
docs-xml/smbdotconf: add ft_scanner to 'server service'
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit f5b112b436667f6cedf5a4b62821dca36ed4471f
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Feb 10 14:56:15 2025 +0100
s4:dsdb: add forest trust scanner service
See MS-ADTS 3.1.1.6.4 PDC Forest Trust Update
It basically connects to all forest trusts
and searches for crossRef objects with
SYSTEM_FLAG_CR_NTDS_DOMAIN under
CN=Partitions,CN=Configuration.
With this information it add/removes
FOREST_TRUST_SCANNER_INFO records into
the msDS-TrustForestTrustInfo of the local
trustedDomain object.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit af0b91221544635597f70eab42eaa0e2c7fd89da
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 12:45:06 2025 +0100
s3:tldap: add tldap_msg_rc() helper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 69f528a9ceac901c6e43b95b5d782e4b2d0d615c
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 17:09:05 2025 +0100
winbindd: make use of lsaR[G|S]etForestTrustInformation2 to allow
SCANNER_INFO
Note that we don't need to handle a fallback to old servers,
because we only talk to ourself here.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2db3185fb75521b06c41c3e803a6fe9e964eacb1
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 6 10:28:37 2025 +0100
s4:rpc_server/lsa: add lsaR[G|S]etForestTrustInformation2 support to allow
FOREST_TRUST_SCANNER_INFO
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit fba41093e9f2bdc9b2977394dc58424746ae2380
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 16:52:34 2025 +0100
s4:dsdb/common: let dsdb_trust_merge_forest_info() handle SCANNER and
BINARY records
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 02b4fdd41dc1d82fc8b92949fabf128bb4c5da73
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 16:48:05 2025 +0100
s4:dsdb/common: let dsdb_trust_normalize_forest_info_step2() handle SCANNER
and BINARY records
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ce3635832d8bbd76c5cfe6867432bc8815042f28
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 16:41:02 2025 +0100
s4:dsdb/common: let dsdb_trust_normalize_forest_info_step1() handle BINARY
and SCANNER records
Note for scanner records we need to filter out duplicates,
but binary records may exist multiple times.
Review with: git show -w
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 54b8c0dd5b92b689635e5fb93285c0833250d0a1
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 13 10:22:38 2025 +0100
s4:dsdb/common: let dsdb_trust_forest_info_add_record() handle BINARY and
SCANNER records
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 34b47c9c22c3b183ea8a8d2c042eed8cf4a44f77
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:19:51 2025 +0100
libcli/lsarpc: let trust_forest_info_from_lsa2() handle BINARY and SCANNER
records
The tricky part is that we also need to upgrade
LSA_FOREST_TRUST_BINARY_DATA records into FOREST_TRUST_SCANNER_INFO records.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 60943b52f237aedeca5b2945d49872fc4e4dc8ec
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 13 15:05:02 2025 +0100
libcli/lsarpc: add trust_forest_info_lsa_2to2()
This normalizes LSA_FOREST_TRUST_BINARY_DATA in
LSA_FOREST_TRUST_SCANNER_INFO.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ce5e3777979057cb4721b86e141243f67cb7b8a4
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:19:51 2025 +0100
libcli/lsarpc: let trust_forest_{record_lsa_2to1,info_to_lsa}() handle
SCANNER_INFO
We need to convert the [LSA_]FOREST_TRUST_SCANNER_INFO record
into a binary record, but with LSA_FOREST_TRUST_SCANNER_INFO
as type.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 63045ddc4a56d6f2d67e4cb95aa8c53caf1accb7
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:19:51 2025 +0100
libcli/lsarpc: let trust_forest_{record_lsa_1to2,info_from_lsa}() handle
BINARY and SCANNER records
The tricky part is that it's all based on the sub_type within
the binary data, if it's FOREST_TRUST_SCANNER_INFO the
record is upgraded to an LSA_FOREST_TRUST_SCANNER_INFO,
otherwise it's downgraded to a LSA_FOREST_TRUST_BINARY_DATA
record.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 6fdb76667d411148b910e5347f0c4ffb95daafc4
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:19:51 2025 +0100
libcli/lsarpc: let trust_forest_record_to_lsa() handle BINARY and SCANNER
records
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 57352cf7697e8a3031a87c8b1501668786a850a3
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:19:51 2025 +0100
libcli/lsarpc: let trust_forest_record_from_lsa() handle BINARY and SCANNER
records
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit c0f025c87cbe4b6de4f606a82248530827dc7d6b
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 16:26:06 2025 +0100
s4:dsdb/util_trusts: convert most functions from lsa_ForestTrustInformation
to lsa_ForestTrustInformation2
We use trust_forest_info_lsa_{1to2,2to1}() where needed.
This will make it possible to support
FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO later.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 8dc11c71b4dee5a103084f4ddce1378e1cdc293c
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 00:49:07 2025 +0100
libcli/lsarpc: add trust_forest_info_lsa_{1to2,2to1}()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit c903d4699cc38397ecf49c503b126017bb21bb17
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 5 14:42:18 2025 +0100
libcli/lsarpc: add trust_forest_info_{from,to}_lsa2()
Note for now these will fail for FOREST_TRUST_BINARY_DATA and
FOREST_TRUST_SCANNER_INFO.
But this will still make the transition from
lsa_ForestTrustInformation to lsa_ForestTrustInformation2
easier.
Support for will FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO
will be added before we implement the forest trust background scanner
job and the lsaRSetForestTrustInformation2 function.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 1b03e4f541f8a38d2bc84bafb495463acc4c277a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 10:00:58 2025 +0100
s4:rpc_server/lsa: split out dcesrv_lsa_SetFTI()
This will help implementing dcesrv_lsa_lsaRSetForestTrustInformation2
later...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 1a7adef42af2b6e2eb5862b17bed64ae2cfdf27e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 12 01:14:39 2025 +0100
s4:rpc_server/lsa: split out dcesrv_lsa_QueryFTI()
This will help implementing dcesrv_lsa_lsaRQueryForestTrustInformation2
later...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 90436ac0894caba7a3181b77907434751f2b1a16
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:08:14 2025 +0100
libcli/lsarpc: change trust_forest_record_to_lsa to lsa_ForestTrustRecord2
lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit c91cba2fce6ddc03c1284c5cb7a81d7d4648a823
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 22:49:06 2025 +0100
libcli/lsarpc: change trust_forest_record_from_lsa to lsa_ForestTrustRecord2
lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 745303e6718cad046126abb48eda811ca199c68f
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 23:01:49 2025 +0100
libcli/lsarpc: don't allocate in trust_forest_record_to_lsa()
It will help with the following changes to
allocate lsa_ForestTrustRecord in the caller.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 9cf4731afbabf0f6f6552ed6e039adf32c027e0e
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 22:27:04 2025 +0100
libcli/lsarpc: change logic in trust_forest_record_to_lsa() to avoid
default:
We should let the compiler warn us if a enum type is missing.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 380478772dd509155647b608ee2265d56835a648
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 22:22:16 2025 +0100
libcli/lsarpc: split out trust_forest_record_from_lsa
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ddf2fe42443590e7e05d30797758c846ea2f2319
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 5 18:05:46 2025 +0100
s4:rpc_server/lsa: always add msDS-TrustForestTrustInfo if
FOREST_TRANSITIVE is set
Windows (at least server 2025) always creates the default
msDS-TrustForestTrustInfo, with just a TOP_LEVEL_NAME and DOMAIN_INFO
representing the forest root domain of the trust.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit b4e97c08bc0930f53bc4ec2c7552f73851f5f9c0
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 5 18:05:58 2025 +0100
s4:rpc_server/lsa: add allocation checks to fill_trust_domain_ex()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 04a496cd220a1304c2a73aad7521edb4b2e22077
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 11 16:09:53 2025 +0100
s4:dsdb/common: add dsdb_trust_default_forest_info()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 6c135ef7844a1a9a27ea8368aae31a43712d224e
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 03:43:25 2018 +0200
dsdb:util_trusts: replace dsdb_trust_find_tln[_ex]_match() with
trust_forest_info_tln[_ex]_match()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 6f6aa8d661333add059760c52e530a47bf656b6f
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 03:36:39 2018 +0200
libcli/lsarpc: add trust_forest_info_tln[_ex]_match()
These are copies of dsdb_trust_find_tln[_ex]_match()
in source4/dsdb/common/util_trusts.c, which gets replaced
in the next commits.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit a8a933ab5e618df8e2ddb6aae4f00ca7c309f2c6
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 5 14:27:15 2025 +0100
libcli/lsarpc: fix talloc hierarchy in trust_forest_info_from_lsa()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 126a3a26a67f9864bb1bd45c511fd8ff4b4515a6
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 5 10:35:41 2025 +0100
libcli/lsarpc: fix talloc hierarchy in trust_forest_record_to_lsa()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit b2fc827b64b3c2f9c169304e012cb67f96bb36c3
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 02:53:53 2018 +0200
dsdb:util_trusts: remove unused dsdb_trust_forest_info_{from,to}_lsa()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 128f64471d4a276694c7065f267d8fd5770073d1
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 02:53:22 2018 +0200
dsdb:util_trusts: make use of trust_forest_info_to_lsa()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 23cc5113abb6ca2b7427f0e1f1c4d024c6e83186
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 02:52:10 2018 +0200
s4:rpc_server/lsa: make use of trust_forest_info_{from,to}_lsa()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2bf1e671684639b32438ac05805d3fa4d847f2b6
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 02:44:28 2018 +0200
libcli/lsarpc: add trust_forest_info_{from,to}_lsa()
They will replace the dsdb_trust_forest_info_{from,to}_lsa() functions.
They are just copied over.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 7b304524a3be4a2678bd59ac36f1651c58e98f3a
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 5 02:41:52 2018 +0200
libcli/lsarpc: add missing forward declarations for
lsa_TrustDomainInfo{AuthInfo,Buffer}
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 38f08fbbbdff96b960dac33c877a6902b1816061
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 19 15:58:34 2024 +0100
libcli/security: add dom_sid_match_prefix() helper
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/base/serverservices.xml | 2 +-
lib/param/loadparm.c | 2 +-
libcli/auth/proto.h | 14 +-
libcli/auth/smbencrypt.c | 633 +++++++++-
libcli/lsarpc/util_lsarpc.c | 947 ++++++++++++++
libcli/lsarpc/util_lsarpc.h | 37 +
libcli/lsarpc/wscript_build | 2 +-
libcli/security/dom_sid.c | 35 +-
libcli/security/dom_sid.h | 2 +
selftest/knownfail.d/upn_handling | 3 -
source3/include/passdb.h | 14 +-
source3/include/tldap.h | 1 +
source3/lib/tldap.c | 9 +
source3/param/loadparm.c | 2 +-
...passdb-0.29.0.sigs => samba-passdb-0.30.0.sigs} | 1 +
source3/passdb/pdb_interface.c | 65 +
source3/passdb/pdb_samba_dsdb.c | 70 ++
source3/rpc_server/netlogon/srv_netlog_nt.c | 264 +++-
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_dual_srv.c | 62 +-
source3/winbindd/winbindd_pam.c | 8 +-
source3/winbindd/winbindd_proto.h | 1 +
source3/winbindd/winbindd_util.c | 135 +-
source3/wscript_build | 2 +-
source4/dsdb/common/util_trusts.c | 736 +++++------
source4/dsdb/ft_scanner/ft_scanner_periodic.c | 122 ++
source4/dsdb/ft_scanner/ft_scanner_service.c | 157 +++
source4/dsdb/ft_scanner/ft_scanner_service.h | 57 +
source4/dsdb/ft_scanner/ft_scanner_tdos.c | 1329 ++++++++++++++++++++
source4/dsdb/wscript_build | 14 +
source4/rpc_server/lsa/dcesrv_lsa.c | 335 ++++-
source4/rpc_server/lsa/lsa_lookup.c | 17 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 285 ++++-
33 files changed, 4759 insertions(+), 606 deletions(-)
copy source3/passdb/ABI/{samba-passdb-0.29.0.sigs => samba-passdb-0.30.0.sigs}
(99%)
create mode 100644 source4/dsdb/ft_scanner/ft_scanner_periodic.c
create mode 100644 source4/dsdb/ft_scanner/ft_scanner_service.c
create mode 100644 source4/dsdb/ft_scanner/ft_scanner_service.h
create mode 100644 source4/dsdb/ft_scanner/ft_scanner_tdos.c
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/base/serverservices.xml
b/docs-xml/smbdotconf/base/serverservices.xml
index dba65e9a69b..534580f3e6d 100644
--- a/docs-xml/smbdotconf/base/serverservices.xml
+++ b/docs-xml/smbdotconf/base/serverservices.xml
@@ -12,6 +12,6 @@
<constant>-</constant>. </para>
</description>
-<value type="default">s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns</value>
+<value type="default">s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
ft_scanner, winbindd, ntp_signd, kcc, dnsupdate, dns</value>
<value type="example">-s3fs, +smb</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7d7c7493eb2..ae397330598 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2735,7 +2735,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper
wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6
backupkey dnsserver");
- lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt
wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+ lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt
wrepl ldap cldap kdc drepl ft_scanner winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
auth forwarding and for trusted domains */
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 8a9087bb647..79ab72cb852 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -217,11 +217,23 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+struct lsa_TrustDomainInfoInfoEx;
+struct lsa_ForestTrustInformation2;
+struct trust_forest_domain_info {
+ bool is_local_forest;
+ bool is_checked_trust;
+ struct lsa_TrustDomainInfoInfoEx *tdo;
+ struct lsa_ForestTrustInformation2 *fti;
+};
NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
const char *account_domain,
const DATA_BLOB response,
const struct netlogon_creds_CredentialState *creds,
- const char *workgroup);
+ const char *workgroup,
+ size_t num_domains,
+ const struct trust_forest_domain_info *domains,
+ TALLOC_CTX *mem_ctx,
+ char **_computer_name);
/***********************************************************
encode a password buffer with a unicode password. The buffer
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 7818d2921f8..03195855e92 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -647,11 +647,511 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
lm_response, nt_response, lm_session_key,
user_session_key);
}
+static NTSTATUS NTLMv2_RESPONSE_verify_workstation(const char *account_name,
+ const char *account_domain,
+ const struct NTLMv2_RESPONSE *v2_resp,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const struct AV_PAIR *av_nb_cn = NULL;
+ const struct AV_PAIR *av_nb_dn = NULL;
+ int cmp;
+
+ /*
+ * Make sure the netbios computer name in the
+ * NTLMv2_RESPONSE matches the computer name
+ * in the secure channel credentials for workstation
+ * trusts.
+ *
+ * And the netbios domain name matches our
+ * workgroup.
+ *
+ * This prevents workstations from requesting
+ * the session key of NTLMSSP sessions of clients
+ * to other hosts.
+ */
+ av_nb_cn = ndr_ntlmssp_find_av(&v2_resp->Challenge.AvPairs,
+ MsvAvNbComputerName);
+ av_nb_dn = ndr_ntlmssp_find_av(&v2_resp->Challenge.AvPairs,
+ MsvAvNbDomainName);
+
+ if (av_nb_cn != NULL) {
+ const char *v = NULL;
+ char *a = NULL;
+ size_t len;
+
+ v = av_nb_cn->Value.AvNbComputerName;
+
+ a = talloc_strdup(frame, creds->account_name);
+ if (a == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ len = strlen(a);
+ if (len > 0 && a[len - 1] == '$') {
+ a[len - 1] = '\0';
+ }
+
+ cmp = strcasecmp_m(a, v);
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbComputerName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+ if (av_nb_dn != NULL) {
+ const char *v = NULL;
+
+ v = av_nb_dn->Value.AvNbDomainName;
+
+ cmp = strcasecmp_m(workgroup, v);
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS NTLMv2_RESPONSE_verify_trust(const char *account_name,
+ const char *account_domain,
+ const struct NTLMv2_RESPONSE *v2_resp,
+ const struct netlogon_creds_CredentialState *creds,
+ size_t num_domains,
+ const struct trust_forest_domain_info *domains)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const struct trust_forest_domain_info *ld = NULL;
+ const struct trust_forest_domain_info *rd = NULL;
+ const struct AV_PAIR *av_nbt = NULL;
+ const char *nbt = NULL;
+ const struct AV_PAIR *av_dns = NULL;
+ const char *dns = NULL;
+ size_t di;
+ size_t fi;
+ bool match;
+ const struct lsa_ForestTrustDomainInfo *nbt_match_rd = NULL;
+ size_t nbt_matches = 0;
+ const struct lsa_ForestTrustDomainInfo *dns_match_rd = NULL;
+ size_t dns_matches = 0;
+ const char *schan_name = NULL;
+
+ switch (creds->secure_channel_type) {
+ case SEC_CHAN_DNS_DOMAIN:
+ schan_name = "SEC_CHAN_DNS_DOMAIN";
+ break;
+ case SEC_CHAN_DOMAIN:
+ schan_name = "SEC_CHAN_DOMAIN";
+ break;
+
+ default:
+ smb_panic(__location__);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ /*
+ * MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation
+ */
+
+ av_nbt = ndr_ntlmssp_find_av(&v2_resp->Challenge.AvPairs,
+ MsvAvNbDomainName);
+ if (av_nbt != NULL) {
+ nbt = av_nbt->Value.AvNbDomainName;
+ }
+
+ if (nbt == NULL) {
+ /*
+ * Nothing to check
+ */
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ av_dns = ndr_ntlmssp_find_av(&v2_resp->Challenge.AvPairs,
+ MsvAvDnsDomainName);
+ if (av_dns != NULL) {
+ dns = av_dns->Value.AvDnsDomainName;
+ }
+
+ for (di = 0; di < num_domains; di++) {
+ const struct trust_forest_domain_info *d =
+ &domains[di];
+
+ if (d->is_local_forest) {
+ SMB_ASSERT(!d->is_checked_trust);
+ SMB_ASSERT(ld == NULL);
+ ld = d;
+ continue;
+ }
+
+ if (d->is_checked_trust) {
+ SMB_ASSERT(rd == NULL);
+ rd = d;
+ continue;
+ }
+ }
+
+ SMB_ASSERT(ld != NULL);
+ SMB_ASSERT(rd != NULL);
+
+ /*
+ * All logic below doesn't handle WITHIN_FOREST trusts,
+ * but we don't supported them overall yet...
+ *
+ * Give an early error, so that the one
+ * implementing WITHIN_FOREST support will
+ * hit it easily...
+ */
+ if (rd->tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ DBG_ERR("remote tdo[%s/%s] WITHIN_FOREST not supported yet\n",
+ rd->tdo->netbios_name.string,
+ rd->tdo->domain_name.string);
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ /*
+ * Check the names doesn't match
+ * anything in our local domain/forest
+ */
+
+ match = strequal(nbt, ld->tdo->netbios_name.string);
+ if (match) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "matches local tdo[%s/%s]\n",
+ __func__, nbt,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ ld->tdo->netbios_name.string,
+ ld->tdo->domain_name.string));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (dns != NULL) {
+ match = strequal(dns, ld->tdo->domain_name.string);
+ if (match) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "DnsDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "matches local tdo[%s/%s]\n",
+ __func__, dns,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ ld->tdo->netbios_name.string,
+ ld->tdo->domain_name.string));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ for (fi = 0; ld->fti != NULL && fi < ld->fti->count; fi++) {
+ const struct lsa_ForestTrustRecord2 *r = ld->fti->entries[fi];
+ const struct lsa_ForestTrustDomainInfo *ldi = NULL;
+
+ if (r == NULL) {
+ continue;
+ }
+
+ if (r->type != LSA_FOREST_TRUST_DOMAIN_INFO) {
+ continue;
+ }
+ ldi = &r->forest_trust_data.domain_info;
+
+ match = strequal(nbt, ldi->netbios_domain_name.string);
+ if (match) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "matches local forest tdi[%s/%s]\n",
+ __func__, nbt,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ ldi->netbios_domain_name.string,
+ ldi->dns_domain_name.string));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (dns == NULL) {
+ continue;
+ }
+
+ match = strequal(dns, ldi->dns_domain_name.string);
+ if (match) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "DnsDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "matches local forest tdi[%s/%s]\n",
+ __func__, dns,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ ldi->netbios_domain_name.string,
+ ldi->dns_domain_name.string));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ if (!(rd->tdo->trust_attributes &
LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+ /*
+ * Now check it's from the external trust
+ */
+
+ match = strequal(nbt, rd->tdo->netbios_name.string);
+ if (!match) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "not matching remote tdo[%s/%s]\n",
+ __func__, nbt,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ rd->tdo->netbios_name.string,
+ rd->tdo->domain_name.string));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (dns == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ match = strequal(dns, rd->tdo->domain_name.string);
+ if (!match) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "DnsDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "not matching remote tdo[%s/%s]\n",
+ __func__, dns,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ rd->tdo->netbios_name.string,
+ rd->tdo->domain_name.string));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * Now we check the SCANNER_INFO records
+ * and make sure the values are missing
+ * or unique.
+ */
+
+ for (di = 0; di < num_domains; di++) {
+ const struct trust_forest_domain_info *d =
+ &domains[di];
+
+ if (d == ld) {
+ /*
+ * Checked above
+ */
+ continue;
+ }
+
+ if (ld->fti == NULL) {
+ /*
+ * Nothing to check
+ * waiting for the
+ * forest trust scanner
+ * to catch it
+ */
+ continue;
+ }
+
+ for (fi = 0; fi < ld->fti->count; fi++) {
+ const struct lsa_ForestTrustRecord2 *r =
ld->fti->entries[fi];
+ const struct lsa_ForestTrustDomainInfo *lsi = NULL;
+
+ if (r == NULL) {
+ continue;
+ }
+
+ if (r->type != LSA_FOREST_TRUST_SCANNER_INFO) {
+ continue;
+ }
+ lsi = &r->forest_trust_data.scanner_info;
+
+ match = strequal(nbt, lsi->netbios_domain_name.string);
+ if (match) {
+ if (d == rd) {
+ nbt_match_rd = lsi;
+ }
+ nbt_matches += 1;
+ }
+
+ if (dns == NULL) {
+ continue;
+ }
+
+ match = strequal(dns, lsi->dns_domain_name.string);
+ if (match) {
+ if (d == rd) {
+ dns_match_rd = lsi;
+ }
+ dns_matches += 1;
+ }
+ }
+ }
+
+ if (nbt_matches == 0) {
+ /*
+ * No match of the netbios name at all,
+ * maybe the forest trust scanner did
+ * not run yet to catch it.
+ */
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ if (nbt_match_rd != NULL && nbt_matches == 1) {
+ /*
+ * Exactly one match and that's from the
+ * remote trust that made the request.
+ */
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ if (nbt_match_rd == NULL) {
+ /*
+ * There are matches only from other
+ * domains.
+ */
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against %s[%s/%s] "
+ "nbt_matches[%zu] dns_matches[%zu], "
+ "but not from forest[%s/%s]\n",
+ __func__, nbt,
+ account_domain,
+ account_name,
+ schan_name,
+ creds->computer_name,
+ creds->account_name,
+ nbt_matches,
--
Samba Shared Repository
